Category Archives: Security

Cryptography, Security, Hacks, etc..

Further Adventures in OpenID Delegation Land

Posted on by

Having gotten OpenID delegation going I had to go and play some more.. 🙂

Now I was a bit puzzled about the OpenID XRDS Url mentioned in Eran’s plugin, I don’t see if being created at WordPress.com and the thought of just putting a URL in there and hoping is a bit, well, unsatisfying. Now that isn’t Evan’s fault, it’s just the fact that the WordPress service isn’t that well documented for delegation and I was hoping for something that would go a little bit further.

Before I found Evan’s OpenID Delegation plugin I came across Will Norris’s WP-Yadis plugin (originally wp-xrds) but it didn’t really work under PHP5 and so I had quickly skipped over it. Having found myself not quite happy with the outcome of using Evan’s (again, not his fault) I decided to go back and see if I could fix up the PHP4 code that wasn’t happy with PHP5.

Now it turns out it wasn’t that hard to fix, just 3 instances of foreach() where a variable needed casting to Array. That let me put in the OpenID Server Url and OpenID Delegate Server Url that I had been using previously and magically created a XRDS (aka Yadis) document. Brilliant I thought.

But wp-yadis could do more, it already had a set of definitions for a number of providers so that you could just pick the one you wanted and give it your username and let it automatically generate the URLs, but there wasn’t anything for WordPress. A bit more hacking later (to add a substitution to the server URL that was previously only happening on the delegation URL) and it was working!

I’ve sent Will the patch by email, but as the licensing isn’t clear I can’t really make it available here without Will’s approval.

OpenID Delegation To WordPress.com

Posted on by

Now that WordPress.com blogs include an OpenID server for free and most WordPress users have an account there as they need it for Akismet to work, it turns out they can use it as the invisible back end to authenticate via their own WordPress blogs (hosted elsewhere) using the concept of delegation.

I thought it would be interesting to try and get OpenID delegation going on this blog as a proof of concept, and because I’m tired of commenting on Tim Connors blog as anonymous. 🙂

Now whilst OpenID delegation requires nothing more than a couple of lines of HTML, on a site that is dynamically generated like a blog you need a bit of code to add that into the front page, otherwise it’s not going to work. With WordPress that is done via plugins and casting around I found Eran Sandler’s OpenID Delegate plugin which I took for a spin.

It’s easy to install, a single PHP file in your wp-content/plugins directory, and then an OpenID Delegation item appears in your Option menu. Clicking on that and you will see three cryptically named options:

  • OpenID Server Url – this is the URL that access the OpenID server code
  • OpenID Delegate Server Url – this is the URL for the OpenID that you possess
  • OpenID XRDS Url – this is a URL for a special file that is supposed to control the delegation

Initially I tried setting http://????.wordpress.com/ for each field (where ???? is the name of my blog at WordPress.com) and that almost, but not quite, seemed to work according to the OpenID validator. It took me a while to figure out what was needed, but from this forum thread I found a clue that I’d missed a necessary option on the OpenID Server URL.

So, what got it to work for me (and presumably will for you too) is:

  • OpenID Server Url: http://yourblog.wordpress.com/?openidserver=1
  • OpenID Delegate Server Url: http://yourblog.wordpress.com/
  • OpenID XRDS Url: http://yourblog.wordpress.com/

The proof that it works ?

A successful comment on Tim’s Live Journal using my blog as the OpenID server. That’s enough to make me happy..

EMI+Apple to sell “premium” tracks without DRM

Posted on by

A very interesting development courtesy of the BBC:

EMI said every song in its catalogue will be available in the “premium” format. It said the tracks without locks will cost more and be of higher quality than those it offers now.

These DRM free tracks will cost 99 pence on iTunes, but apparently that’s only for single tracks, you will be able to buy an entire album DRM free for the same cost as one with DRM. Steve Jobs said:

The right thing to do is to tear down walls that precluded interoperability by going DRM-free and that starts here today.

Connex Melbourne SMS Service Hacked (Update 5)

Posted on by

Myself and Jeremy have just received the following SMS from the Connex Melbourne SMS Service (run by Platypus World). It looks like they’ve been hacked.. 🙁

ALLAHU AKBR FROM CONNEX! our inspectorS Love Killing people – If you see one coming, run. Want to bomb a train? they will gladly help! See youin hell!

Not a good SMS message to get from your train company in the current climate..

Update 1: A Muslim friend of mine tells me that the message doesn’t make sense, Allah hu Akbar (God is great) is not the sort of thing that people say to each other.

Update 2: Looks like quite a few others got it too..

Update 3: I wonder if they also got hold of the phone records, or whether all they figured out was just how to feed a random message into their SMS everyone workflow..

Update 4: Last night (22:39 AEST) another Connex SMS message arrived, this time apparently legitimate, saying:

A hoax message was sent tonight to some users. Connex apologises and is investigating with the police.

There is a news story on the ABC this morning saying:

Around 10,000 people who have signed up to a timetable update system received a threatening message last night, after hackers broke into the system. […] Connex spokesman Andrew Cassidy has apologised for the incident and has reassured subscribers that their personal information is safe.

They are trying to reassure people that their details are safe:

“As far as we can see, the individual was able to get in, type this message and get it sent [and] had no other access to information stored in that database.”

The question is, then, how did the attacker get in ? Well, it seems like it was that age old problem..

Connex says passwords to the system have been changed to prevent further incidents.

My guess is it’s either people picking easy to guess passwords or (increasingly likely these days) a Windows system getting attacked by a virus or trojan and having a keylogger installed.

Update 5: It appears that the company that runs the SMS service for Connex are running their public facing systems on Windows, so it’s probably not that surprising that this hack happened. 🙁

Strangely enough this hack hasn’t made it onto their making news page.

Update 6: Just found an alternative rendering of the quote from the Connex spokesman:

“All they were able to do was to hack in and act as though they were a staff member doing a remote access to send a message to subscribes.”

Oh, so that’s all they could do..

Vista DRM Bites CD Audiophiles

Posted on by

It would appear that Vista’s DRM protection is for more than just “premium content” – even DRM protected “CD’s” apparently won’t play through S/PDIF (optical) outputs whereas they work just fine under Linux.

My test system’s high-end audio outputs are S/PDIF (Sony/Philips Digital Interface Format) compliant. S/PDIF is probably the most common high-end audio port around for PCs today. It also has no built-in DRM (digital rights management) capability, and that turned out to be an important matter. […] When I switched back to Vista, I tried to play Wilco’s Yankee Hotel Foxtrot CD. Whoops! Not a single sound emerged from my speakers. After a little investigation, I found that Vista disables media outputs that don’t incorporate DRM, when you try to play DRM protected media through them.

Quite sad really given that Vista couldn’t handle his on board RealTek ALC 882 audio chipset either!

That was a kick in the head. I have a fully legal CD in my hand. Any other version of Windows will play it, Linux will play it, Mac OS will play it, and my CD player will play it, but if you’re using S/PDIF for your computer-driven audio and Vista, you’re out of luck. If you have a card with a Toslink optical digital audio port, you will be able to play it.

Vista’s DRM really is Defective by Design.

Internet Explorer 2006 – 9 Months of Vulnerability

Posted on by

If you use Internet Explorer (IE) on Windows it appears that you spent 9 months open to being hacked on your computer.

For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

On the other side, Firefox had a single 9 day window of vulnerability to an exploit.

Microsoft Details on Vista Protections

Posted on by

For those who would like to see some corroboration of Peter Gutmann’s A Cost Analysis of Windows Vista Content Protection which I posted about previously you can access a document from Microsofts own website called Output Content Protection and Windows Vista which goes into some detail about what you can expect.

In the future, some types of premium content— through its content policy—will specify that a full-resolution analog VGA output is not allowed and that the resolution must be reduced. It is not practical to change the actual scanning rate of the display, particularly because some displays are fixed resolution. But what is important is that the information content of the signal is reduced to the resolution specified by the content owner. Basically, a high-resolution picture needs to be degraded to make it soft and fuzzy.

You may find that if you connect your LCD flat screen via a digital DVI cable it might just stop working.

In contrast, DVI without HDCP is definitely not liked by content owners, because it provides a pristine digital interface that can be captured cleanly. When playing premium content such as HD-DVD and Blu-Ray DVD, PVP-OPM will be required to turn off or constrict the quality of unprotected DVI. As a result, a regular DVI monitor will either get slightly fuzzy or go black, with a polite message explaining that it doesn’t meet security requirements.

Even your analog VGA monitor may get turned off in future.

There have been some successes in getting content owners to make some allowances for this ubiquitous interface. Consumers would certainly be unhappy if it were immediately outlawed; so instead, many content owners are requiring that its resolution be constricted when certain types of premium content are being played. Eventually they may require that analog VGA outputs be turned off completely; but for the moment, it is possible to provide the necessary level of protection by constricting the information content.

It’s not just users who are going to be worse off under this scheme – would you like to be a graphics card manufacturer when Microsoft tell you things like this ?

Content Industry Agreement hardware robustness rules must be interpreted by the graphics hardware manufacturer. Vendors should work to ensure that their implementations will not be revoked for playback of high-level premium content, as the result of a valid complaint from the content owners.

and

It is the responsibility of the graphics chip manufacturer to ensure that their chips are not used to manufacture “hacker friendly” graphics cards or motherboards. If someone does try to manufacture such a card, then the graphics manufacturer should refuse to sell chips to that board manufacturer.

So those are some random restrictions, if you read the whole document you’ll find plenty more to get your blood boiling quite nicely..

Found via a useful comment by Sergio on Bruce Schneier’s blog post about PG’s analysis.